Foreign Legal Threat – an Unknown Regulatory Risk

Commentary by Dr. Shuki Friedman: Approximately two years ago, an Israeli company with extensive international operations found itself in a precarious, unusual crisis: blacklisted by the U.S. for violating US – Iran sanctions. Such a designation can severely undermine the reputation of a company and can have economic and criminal ramifications, both for the company and its directors. Other companies and banks absorbed large fines in the sums of hundreds of millions of dollars for violations of regulatory laws, mainly U.S.

This risk is not only the consequence for Israeli giants, nor is it solely related to trade with Iran. Every company or financial institution with international operations is predisposed to lengthy international and exterritorial legislation that exists in many countries.

Keeping track of possible exposure to sanctions regulations, money-laundering, terrorism and proliferation financing, export-control regimes and the prevention of corruption often falls between the cracks. This is because compliance mechanisms or a company’s legal counsels are not always aware of the regime in question or do not specialize in meeting the specific risks created by it.

Although many are unfamiliar with the regulations in these contexts, they are fraught with significant risks, including: financial risk in the form of huge fines of hundreds of millions of dollars, in the U.S. in particular, even if the action was not executed on U.S. soil; penal liability of managers and directors; and the considerable risk to a company’s reputation that can result from negative publicity or blacklisting, an action that can naturally also have dramatic financial repercussions, for instance a negative impact on stock prices.

It is important to remember that these risks do not necessarily stem from Israeli legislation and regulations. In many cases, the claim that the company met the demands of the Israeli law will be simply irrelevant. Therefore, even if a local legal counsel declares that “All is well”, it is entirely possible that this is not the case. These risks place heavy responsibility on the board of directors and company executives. They are the parties in charge of risk management in the company and they are the ones who will be held responsible for any economic or legal liabilities should the company fail. Therefore, they are obliged to take mandatory and all other possible actions to reduce these risks.

What do company executives and the board of directors have to do in order to reduce these risks? In truth, the response to the risks can be both simple and inexpensive and can prevent costly and serious harm to the company.

A full response covering the majority of risks would include a risk survey, the building of a compliance program, the creation of a system to support the compliance program and the company’s implementation of said program.

Risk Survey: Every company has its own uniquely characteristic areas of activity, and target markets where it operates and to which it is exposed. The aim of the risk survey is to show the company executives its exposure resulting from its global operations and point out the areas and markets more sensitive to international and exterritorial compliance regulations.

The Creation of a Compliance Program: A compliance program is never a generic product. A compliance program must be tailored to the company’s field of operation, its target market, and its exposure as revealed by the risk survey. A comprehensive compliance program would include reference to the company’s business management, while weighing up the risks and their implications on operations. The program would suggest procedures that the company should implement to avoid regulatory violations.

A System to Ensure Implementation of the Compliance Program: In accordance with the nature of its operations, the company must create a basic database to identify problematic contacts. Alternatively, or in cases where the internal due diligence process of the entities that the company works with (clients, intermediaries, and partners) is insufficient, the company must refer these reviews to a company that specializes in the subject. In certain cases, a basic review, for example of blacklisting, is a minimal requirement and the company must create internal or external tools in order to meet these needs.

Implementation of the Compliance Program: Compliance program can never replace an employee’s discretion. To incorporate and implement a compliance program, the company should recognize and absorb the rationale behind the compliance program. This applies particularly to groups of employees that deal with operations identified as having higher risks. Only a correctly deployed effective compliance program can hope to achieve its goal and reduce the company’s exposure to risk.

Taking these steps does not provide total protection from mistakes. However, it will fully protect the company from a legal standpoint. Even if the company unwittingly misled someone, causing them to perform an illegal action, no measures are likely to be taken against it, as it did everything in its power to act correctly and as required by law.

From the Israeli viewpoint, these risks appear distant in many cases. In practice, they are closer than we think and their realization could cost the company its very existence.

Dr. Shuki Friedman is a lecturer on international law at the Peres Academic Center and VP Compliance Solutions at Terrogence Ltd.

On the night of September 14, 2019, several attacks rocked two strategic infrastructure sites in Saudi Arabia. One target was a large oil field at Khurais, recently developed by the Saudi national oil company Aramco. The second is the company’s main processing center and one of the world’s largest oil refineries at Buqayq, 200 km northeast of Khurais.